Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3418
Views
5
Helpful
18
Replies

VPN ASA 2110 clustering

Go to solution
Amafsha1
Level 2
Level 2

‎02-24-2020 06:00 PM

Hello,

 

I currently have a 2110 running ASA image.  It's used for AnyConnect only.  I have 1 arm on the outside(connected through a L2 switch) and 1 arm on the inside (connected through a L2 switch).  I bought another 2110 and plan to put ASA image on it and cluster it with my current ASA.  Can anyone point me to good documentation around setting this up?  I found some good documentation, but it only seems to be for when connecting to Nexus cores using VPCs and not regular port-channels to a 3750 switch for example. Also none of the documents seem to point to being able to use the cluster control link via a direct connection between the 2 ASAs but instead must go through a switch to do this.  Is it not possible to build the cluster control link by directly connecting cables directly from the ASA to the other ASA?

 

 

0 Helpful
18 Replies 18

Go to solution
mabernar
Cisco Employee
Cisco Employee
In response to Amafsha1

‎04-07-2020 12:01 PM

You set the priority on one of the ASAs to be the master and it will redirect the traffic to the other devices. It does this because the master will monitor the workload on the other devices and divide up the connections based on the feedback from the other servers in the cluster.

Go to solution
mabernar
Cisco Employee
Cisco Employee
In response to Amafsha1

‎04-07-2020 12:40 PM

Also, another good white paper explaining VPN Load balancing. You could also use an outside load balancing device like an F5 or even a Nexus with the ITD feature. The Pros and Cons are discussed here:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/misc/anyconnect-faq/anyconnect-faq.html#Cisco_Reference.dita_932bcd38-9cb6-49ef-889c-40e57df87c7f

 

HTH

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to mabernar

‎04-09-2020 01:49 PM

Thank you for your help, I just have one last question.

 

This solution is good for load-balancing because the primary VPN that answers to vpn.xyz.com  will give the connection to the other VPN....but let's say that the primary box goes down...what will happen?  Do I also need to configure active/standby on the 2 boxes along with the Load-balancing configs?  Will that work?  

0 Helpful

Go to solution
Amafsha1
Level 2
Level 2
In response to mabernar

‎04-09-2020 02:39 PM

I just checked out your link.  It looks like 

Option 2b: Two to Ten ASAs in Active/Standby with VPN load balancing enabled

will accomodate what I'm trying to do but there is no configuration example or anything.  Thanks again for your help and sending this link.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card